From 1f323a48e9b5ebfe6dc7d130fdf5c3c0e92a07c8 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 22 Sep 2025 14:44:49 -0400 Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg [ Upstream commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 ] Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan Reported-by: Bing-Jhong Billy Jheng Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- include/crypto/if_alg.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'include/crypto') diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index a406e281ae57..1424200fe88c 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -136,6 +136,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len; -- cgit v1.2.3